Par*_*rag 5 spring-security oauth-2.0
我正在尝试为oauth2配置单独的身份验证和资源服务器.我能够成功配置authrization服务器,并能够进行身份验证和生成访问令牌.现在我想配置一个资源服务器,它可以通过api端点与auth服务器通信,以验证访问令牌.以下是我的资源服务器配置.
@Configuration
@EnableResourceServer
@EnableWebSecurity
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Oauth2SecurityConfiguration before");
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/v1/**").authenticated();
System.out.println("Oauth2SecurityConfiguration after");
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token");
remoteTokenServices.setClientId("clientId");
remoteTokenServices.setClientSecret("clientSecret");
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
authenticationManager.setTokenServices(remoteTokenServices());
return authenticationManager;
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
System.out.println("http.csrf().disable()");
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated();
System.out.println("http.authorizeRequests().anyRequest().authenticated()");
}
}
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
问题:1.为什么我在资源服务器上使用AuthenticationManager,而所有身份验证都委托给auth服务器.(我不得不将它添加到加载应用程序上下文中)
除此之外,我面临以下问题.
即使我没有通过请求传递授权标头和访问令牌.它正在经历.
http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members"
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Date: Mon, 19 Oct 2015 19:45:14 GMT
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
{
"entities": [],
"errors": [],
"message": null
}
只会立即调用过滤器我没有看到后续请求的日志.它是否在某处缓存授权?
我是春天的新朋友.如果我做错了,请告诉我.我在用
spring-security-oauth2 : 2.0.7.RELEASE
spring-security-core : 4.0.1.RELEASE
java : 1.8
pas*_*kos -1
你不需要@EnableWebSecurity上Oauth2SecurityConfiguration @EnableResourceServer就足够了。您还应该替换extends WebSecurityConfigurerAdapter为extends ResourceServerConfigurerAdapter.
如果您想使用您的RemoteTokenServices实例,我建议您ResourceServerConfigurerAdapter public void configure(ResourceServerSecurityConfigurer resources) throws Exception覆盖
@Override
public void configure( ResourceServerSecurityConfigurer resources ) throws Exception
{
resources.tokenServices( serverConfig.getTokenServices() );
}
| 归档时间: |
|
| 查看次数: |
2402 次 |
| 最近记录: |